I'm a technology, privacy, and information security reporter and most recently the author of the book This Machine Kills Secrets, a chronicle of the history and future of information leaks, from the Pentagon Papers to WikiLeaks and beyond.
I've covered the hacker beat for Forbes since 2007, with frequent detours into digital miscellania like switches, servers, supercomputers, search, e-books, online censorship, robots, and China. My favorite stories are the ones where non-fiction resembles science fiction. My favorite sources usually have the word "research" in their titles.
Since I joined Forbes, this job has taken me from an autonomous car race in the California desert all the way to Beijing, where I wrote the first English-language cover story on the Chinese search billionaire Robin Li for Forbes Asia. Black hats, white hats, cyborgs, cyberspies, idiot savants and even CEOs are welcome to email me at agreenberg (at) forbes.com. My PGP public key can be found here.

Instagram Bug Would Have Let Hackers Peek At Private Photos For At Least Last Six Months

If at any point before last Tuesday you suddenly found your private Instagram pics embarrassingly exposed to public perusal, Christian Lopez might be able to offer an explanation.

In August of last year, Lopez discovered a bug in Facebook’s popular photo-sharing app that would have let hackers invisibly switch a user’s Instagram privacy settings from private to public. And though the flaw is now fixed as of February 4th, it persisted for nearly six months after Lopez reported it to Facebook’s security team due to what he describes as multiple missteps that failed to fully patch the problem.

“They gave me good support and response,” says Lopez, an independent security researcher based in Barcelona, Spain, who I contacted via instant message. Lopez says he was paid a “four figure” reward by Facebook as part of its “bug bounty” program for researchers who report hackable flaws in its software. But he says he was still surprised at how long the company’s fix required. “Six months to properly fix this issue was more than expected.”

The Instagram hack used a common technique called cross-site request forgery, which allows a carefully crafted link to steal the cookies associated with another site stored by a user’s browser. So Lopez’s exploit would have required tricking the user into clicking on a link, say in a phishing email. But if a user clicked and had logged in to Instagram from the Web at any point, the trick would likely allow the attacker to change the user’s privacy settings at will via Instagram’s API. Update: An Instagram spokesperson asked me to clarify that the user would have had to have logged in specifically via a Web browser. Mobile-only users of the app wouldn’t be affected.

Since the hack took advantage of Instagram’s web interface, it affected users of iOS and Android equally, Lopez says. “You click the link in your browser, and your profile will be set to public,” he writes.

Lopez says that Facebook issued an initial fix for the problem less than a month after his report, but it failed to fix the problem for cookies that predated the fix, which would still leave most users vulnerable. And in January of this year, Lopez says he discovered a code change on Instagram’s platform had opened up the original bug again, so that even users with new cookies became vulnerable. The full timeline of his interactions with Facebook is posted on his blog here.

I’ve reached out to Instagram for comment, and I’ll update this post if I hear back from the company.

Update: An Instagram spokesperson sent me this response:

We applaud the security researcher who brought this bug to our attention for responsibly reporting the bug to our parent company Facebook’s White Hat Program. We worked with the team to make sure we understood the full scope of the bug, which allowed us to fix it. Due to the responsible reporting of this issue to us, we do not have evidence of account compromise using this bug.

Lopez says there’s no telling how long the bug had persisted in Instagram before his report, either. His work should serve as a reminder not to click on links sent in emails from strangers, and to think twice before posting sensitive content to social media–even when it’s hidden behind the fig leaf of a “private” account.

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

I quit working at shoprite to work online and with a little effort I easily bring in around $45 to 85 per/h. Without a doubt this is the easiest and most financially rewarding job I’ve ever had. I actually started 6 months ago and this has totally changed my life. Here’s what I do www.cashkept.com